Cyberattack knowledge graph-based modelling of IoT networks used in 
remote patient monitoring 


1. Which component in your framework is delivering the 
benefit/distinguisher you are 
describing. 
This framework combines the IoMT ontology, a knowledge graph 
populated with medical device data, and the integration of NVD CVE 
information through an API. This approach enables the framework to 
provide vulnerability predictions and alerts to enhance the security of 
remote patient monitoring systems. In this regard, The IoMT (Internet of 
Medical Things) ontology is a essential element in this framework, 
providing significant benefits to users, including patients and healthcare 
providers. It integrates knowledge from various sources, such as expert 
knowledge from healthcare professionals, literature on remote patient 
monitoring (RPM), medical devices, cybersecurity, and lIoT in 
healthcare. This ontology captures the semantics of medical devices, 
involving concepts and properties relevant to RPM settings, as well as 
related entities like patients, doctors, vulnerabilities, and services 
related with these medical devices. 


Apart from it, a knowledge graph will be proposed based on the 
developed ontology and case study comprising data from medical 
devices. The graph also incorporates information from the NVD 
(National Vulnerability Database) CVE (Common Vulnerabilities and 
Exposures) data through an API. This ensures that the framework 
remains updated as new information is added to the NVD dataset. 
Notably, while several existing graphs populate NVD CVE information 
using their ontologies, this framework sets itself apart by utilizing an 
API to access and incorporate data, ensuring regular updates. This 
knowledge graph presents CTI (Cyber Threat Intelligence) information 
in a concise and clear manner compared to traditional relational 
databases. By leveraging rule-based reasoning, the framework can 
predict upcoming vulnerabilities in the system. Based on this prediction, 
the framework generates alerts to notify users about potential 
vulnerabilities and attacks in advance. 


2. Provide an example of each claim (as you imagine it to be, rather 
than what your system can do currently) 
Advanced Semantic Framework 
Our solution goes beyond partial automation, providing a comprehensive 
and intelligent framework to improve remote patient monitoring IoT 
network security: 


This framework act as an intelligent to infer the new facts in ontology by 
performing automated reasoning. Imagine a healthcare organization 
that utilizes remote patient monitoring devices to monitor the vital signs 
such as heart rate, blood pressure, oxygen saturation etc., and health 
conditions of patients in their homes. These devices are interconnected 
through an IoT network (Wi-Fi, Cloud), allowing real-time data 
transmission and monitoring. 

In this scenario, our solution comes into play to enhance the security of 
the entire system. It goes beyond partial automation and provides a 
holistic approach to network security. In this way, our solution 
incorporates real-time threat monitoring capabilities. It actively scans 
for known vulnerabilities, exploits, and emerging threats specific to 
remote patient monitoring systems. By staying up to date with the latest 
threat intelligence, our solution can defend against potential 
vulnerabilities and ensure the network's ongoing security. In this 
example, our comprehensive and intelligent framework provides the 
healthcare organization with a robust security infrastructure for their 
remote patient monitoring IoT network. It effectively safeguards 
integrity of patient data, prevents unauthorized access, and enables 
timely detection and response to security incidents. As a result, both 
healthcare providers and patients can have confidence in the security of 
the remote patient monitoring system, ensuring uninterrupted and 
secure care delivery. 


Expert Knowledge Integration 

SecureMedlIoT captures and utilizes expert knowledge specific to 
remote patient monitoring in medical IoT settings, enabling accurate 
detection of cybersecurity attacks and vulnerabilities: 


To integrate the domain expert knowledge is one of the key strengths 
lies in this framework. This expert knowledge comprises the insights, 
experience, and expertise of healthcare professionals and cybersecurity 
specialists who are well-familiar with the remote patient monitoring and 
the associated cybersecurity challenges. let's consider a scenario where 
a healthcare organization implements this framework to secure its 
remote patient monitoring system. The framework incorporates expert 
knowledge from doctors, nurses, and other healthcare professionals who 
have extensive experience in remote patient monitoring and understand 
the potential vulnerabilities and attack vectors in such settings. By 
capturing and integrating this expert knowledge, this framework builds 
a comprehensive understanding of the unique security challenges in 
remote patient monitoring. It leverages this knowledge to develop 
robust detection mechanisms and algorithms that can accurately 


identify cybersecurity attacks and vulnerabilities. For example, the 
framework may utilize the expert knowledge to define rules and patterns 
that represent known attack vectors, exploit techniques, or suspicious 
behaviour targeting medical loT devices in remote patient monitoring. 


Vulnerability Analysis 

By extending the domain ontology with rules and complex queries, 
SecureMedloT offers a complete model for reasoning with cyberattacks 
and vulnerabilities, offering unparalleled protection: 


In this framework, we leverage the National Vulnerability Database 
(NVD) dataset to conduct a comprehensive analysis of vulnerabilities in 
IoT networks for medical settings. The NVD dataset provides a 
standardized collection of vulnerabilities and exploits that have occurred 
in such environments. By incorporating this dataset into our framework, 
we gain valuable insights into the specific vulnerabilities that exist 
within these systems. By extending the domain ontology with rules and 
complex queries, it enables reasoning capabilities that go beyond simple 
data retrieval. It can identify potential vulnerabilities, assess the impact 
of vulnerabilities, and recommend mitigation strategies based on the 
knowledge encoded within the ontology and the rules. For example, this 
framework may employ a rule that associates a particular firmware 
version with a known vulnerability based on the NVD dataset. This rule 
allows us to proactively identify all devices with the same firmware 
version as potentially vulnerable. By utilizing complex queries, we can 
further analyse the network topology, device configurations, and other 
relevant factors to assess the potential impact of these vulnerabilities on 
the overall system. 


Seamless Validation 
SecureMedlIoT's validation process involves utilizing hypothetical 
scenario to ensure its effectiveness in real-world settings. 


For validation, this research proposes a hypothetical scenario to validate 
the effectiveness of this framework. In this regard, a scenario is 
proposed as follows: 


John Smith, a 70-year-old patient enrolled in a remote patient 
monitoring program, uses wearable heart rate and blood pressure 
monitoring devices connected to a hospital's network. The network has 
vulnerabilities, and an attacker gains unauthorized access to manipulate 
his vital signs data. The attacker's actions compromise John's health and 
the system's reliability. The healthcare provider's use this framework to 
enables the detection of vulnerabilities by analysing anomalies in the 
data, and see which component of medical device is affected. It allows 
for the detection of complex relationships and dependencies that may 


not be apparent through manual analysis. This helps in identifying 
potential threats and mitigating risks in a timely manner. The use of a 
semantic ontology specific to remote patient monitoring and medical 
devices allows for a structured representation of concepts, properties, 
and relationships within the domain. 


For example, 


° Who is the vendor of particular medical device? 

e The medical devices are manufactured with which firmware, 
version, OS, software or application? 

° Which type of sensor data is being transferred from those medical 
devices? 

e Automated reasoning will employ to analyse the collected data, 


identify potential vulnerabilities, and generate’ alerts’ or 
recommendations for mitigation. 


. Look at your literature review and state how your claim (if working) 
is better/different to other work you have reviewed. 


In the domain of IoT in Medical Things (IoMT) and cybersecurity for 
Remote Patient Monitoring (RPM), numerous ontologies have been 
published [1]-[3] among others (provided in literature review), 
addressing various aspects of the field. However, the proposed ontology 
in my research aims to provide a novel and comprehensive 
representation of medical devices, their users, device vendors, 
vulnerabilities, and more, offering extensive information within the 
cybersecurity context of RPM. This ontology establishes meaningful 
relationships and properties between these entities, capturing the 
semantics of the domain. By leveraging automated reasoning 
capabilities, the ontology enables the generation of alerts and 
notifications for healthcare providers and patients, contributing to 
enhanced security and vulnerability detection in the remote patient 
monitoring ecosystem. 


. How can you evaluate and show each of these claims convincingly. 

Traditional security measures employed in remote patient monitoring 
IoT networks demonstrate limitations in effectively addressing 
cybersecurity attacks and vulnerabilities, including their semantic 
implications. These shortcomings result in the exposure of sensitive 
patient data to potential breaches, thereby posing significant risks to 
patient safety and security, potentially leading to severe consequences. 
Moreover, these security measures lack the necessary level of 
automation to keep up with the latest vulnerabilities in the system. 


Consequently, attackers can exploit threats until the user is notified of 
the vulnerability. To address these issues, the proposed framework, as 
depicted in Figure 1, presents a comprehensive pipeline of work, 
highlighting what data is stored and how it is processed within each 
component. 
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Figure 1. The Semantic Framework for IoT networks in Remote Patient 
Monitoring 


Knowledge Acquisition 

The knowledge acquisition phase involves gathering comprehensive 
background knowledge and expertise from domain experts in the fields 
of cybersecurity and remote patient monitoring systems. This process 
includes identifying commonly used medical devices in Internet of 
Medical Things (loMT) settings, understanding potential vulnerabilities 
and attacks targeting these devices, and determining the relevant 
security requirements. Standard vocabularies such as RDFs (Resource 
Description Frameworks) and schema.org are utilized to identify and 
represent the necessary data for developing the domain ontology. Data 
on different types of IoT devices used in remote patient monitoring, 
potential cyberattacks, and their corresponding data types and 
functionality are collected. Extensive literature surveys are conducted to 
review existing ontologies in the cybersecurity field, such as the 
VulOntolog, which provides valuable concepts and properties that can 
be incorporated into the IoMT ontology for effective cybersecurity in 
remote patient monitoring systems. 


Knowledge Management 

After acquiring the data in the initial phase, the ontology development 
process begins. The ontology defines concepts and properties relevant to 
cybersecurity in remote patient monitoring systems, capturing their 
semantics to provide meaningful descriptions of these entities. The 


acquired data is annotated with semantic information that corresponds 
to the concepts and relationships defined in the ontology. Knowledge 
management is responsible for reasoning over the existing data to infer 
new facts within the ontology. The framework utilizes rule-based 
reasoning, where rules describe logical conditions and predict hidden 
relationships within the ontology. Reasoning algorithms are employed to 
analyze the knowledge graph and identify potential vulnerabilities and 
attack paths in the IoT network. 


Visualization and Query Interface 

The ontology data is stored in a knowledge graph, which also includes 
the data source NVD (National Vulnerability Database) with its Common 
Vulnerabilities and Exposures (CVE) data to display vulnerabilities 
associated with medical devices in the ontology. The knowledge graph 
provides visualization capabilities, allowing users to view the 
relationships and connections within the graph. Additionally, it offers a 
SPARQL endpoint that enables users to query the graph and assess the 
effectiveness of the framework. The knowledge graph also generates 
alerts to notify users about any new vulnerabilities that arise in the 
system. 


Users 

The users of this framework are stakeholders who can access and query 
the knowledge graph. They can view the graph's content, interact with 
the data, and receive alerts regarding vulnerabilities in the system. 
These users can include patients, doctors, healthcare providers, and 
other relevant stakeholders involved in remote patient monitoring 
systems. 


Key Benefits 
° Enhanced Security Posture: 
It leverages expert knowledge and domain ontology to detect and 
combat cybersecurity attacks and vulnerabilities in remote patient 
monitoring. By effectively addressing network layer attacks and other 
threats, it improves the security posture of medical loT environments. 


For Example: 


An IoMT Ontology is developed to enrich the semantics of RPM domain. 
This ontology contains the concepts related with vendors, products, 
Medical Devices, their vulnerabilities, exploits, which component of 
medical devices will be affected i.e., OS, hardware, application etc., and 
more. 


° Comprehensive Knowledge Graph: 

The organizations can generate a powerful knowledge graph that 
captures the semantics of cyber threat intelligence (CTI) for IoT 
networks in medical devices. This enables the detection and mitigation 
of vulnerabilities, empowering measures to protect patient data. Fig 2. 
(a) shows the Domain-range graph for IOMT knowledge graph and Fig 2 
(b) shows the particular vulnerability and its relationship with the 
Vulnerability Concept. 
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Fig 2 (a) The Domain-Range graph for the concept Product, (b) shows 
the CVE information about vulnerability. 


° Integration with Industry Standards 

It seamlessly integrates with industry-standard vulnerability datasets, 
such as National Vulnerability Dataset (NVD), to access the latest 
information on vulnerabilities. This ensures that your remote patient 
monitoring IoT networks are continuously protected against emerging 
threats. Fig 3. Shows the CVE, its severity, CIA (Confidentiality, 
Integrity, and Availability) impact, published date, Exploit and Exploit 
Score, CVSS score. While Fig 4., shows the IoMT products, their 
functionalities align with vulnerability information in NVD dataset. 
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Fig 3 The CVE statistics in GraphDB 
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Fig 4. The products, their functions and relevant CVE information 


° Automated Reasoning over aggregated knowledge 

This framework will facilitate the automated reasoning over the 
aggregated data comes from various sources such as IoMT ontology, 
CVE information or any other external source. For this purpose, rule 
sets will be developed. By the help of those rules, the system can detect 
the vulnerabilities in advanced. For example, a rule state that: 


“If a medical device firmware version x from the vendor y is known to 
have a specific vulnerability (based on historical data or NVD CVE 
information), then all devices with the same firmware version are 
considered vulnerable”. 


SWRL: 


Product(?product) A hasFirmware(?product, ?firmware) A hasVendor(? 
product, ?vendor) A _ hasVulnerability(?firmware, true) A _ Product(? 
otherProduct) A hasFirmware(?otherProduct, ?firmware) A hasVendor(? 
otherProduct, ?vendor) A DifferentFrom(?product, ?otherProduct) —> 
isVulnerable(?product, true) 


DL Axioms: 


Vx. Product(x) A df. hasFirmware(x, f) A dv. hasVendor(x, v) A dw. 
hasVulnerability(f, w) A w = true > isVulnerable(x, true) 


if a product has a firmware with a vulnerability, then the product is 
vulnerable. 


Vx. Vy. Vf. Vv. Product(x) A Product(y) A hasFirmware(x, f) A 
hasFirmware(y, f) A hasVendor(x, v) A hasVendor(y, v) A x # y > 
isVulnerable(x, true) A isVulnerable(y, true) 


If two different products have the same firmware and the same vendor, 
then both products are vulnerable. 


e Access the SPARQL Endpoint 

The SPARQL endpoint will be provided to access the interface and query 
and see the results from knowledge graph. This is the endpoint from 
where users (patients, Doctors, and healthcare providers) can visualize 
query, and update the data in knowledge graph and also get alerts in 
case of any new vulnerability detection. 

For example: 


SELECT ?Product ?Condition ?y ?p ?e 

WHERE { ?Product a base:MedicalSensor . 

?Product loMT:monitor ?Condition . 

?x base:vulnerabilityID ?y. 

?x base:hasPublished ?p. 

?x base:hasExploit ?e. 

filter (?y = "CVE-2023-1729") . 

i 

This query will retrieve all those products, those have CVE ID is CVE- 
2023-1729, along with other relevant information such as functionality 
provided by product, its published date, exploit etc. 
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